Set up MFA
Multi-factor authentication (MFA) adds a second step to every sign-in: a time-based one-time code from an authenticator app, or a hardware security key.
Supported factors
- TOTP authenticator apps — Google Authenticator, Microsoft Authenticator, 1Password, Authy, Bitwarden, others.
- Hardware security keys — WebAuthn / FIDO2 (YubiKey, Titan Key, Windows Hello, iCloud Keychain).
- Recovery codes — one-time codes to store in your password manager in case you lose your other factors.
We recommend enrolling at least two factors — one hardware key and one TOTP app — so you are not locked out by a lost phone.
Steps — TOTP
- Open Profile → Security → Set up authenticator app.
- Scan the QR code with your authenticator.
- Enter the 6-digit code your app shows to confirm.
- Save the 10 recovery codes offered to you — put them in a password manager or print them.
Steps — hardware security key
- Open Profile → Security → Add hardware key.
- Click Register key, touch your YubiKey (or press the Windows Hello fingerprint).
- Give the key a label you will recognise ("Office YubiKey", "Personal Titan").
What happens next
On every sign-in (and at step-up checkpoints like privileged session launch), VaultPAM asks for one of your enrolled factors.
If your user belongs to more than one organization, the same confirmed TOTP enrollment can be used for step-up there too.